The transformation, development and application practice of the new generation of IAM

Unified identity and access management (IAM) is becoming increasingly important in today's “digital first” world. Modern enterprise employees need to achieve a “work-from-anywhere” access mode on any device (service). This forces organizations to consider building a new generation of IAM platforms to grant appropriate access rights to digital resources in a more scientific way, thereby playing an important role in protecting digital assets.

Development Trends of the Next-Generation IAM

Early IAM technology was built on a traditional IT architecture platform and was mainly responsible for managing people's identities. With the rapid development of digital business systems and IoT applications, IAM systems not only need to assign identities to a large number of “machines” and business systems and achieve effective management, but also need to formulate unified access rules and policies for various digital resources from the overall perspective of the organization's digital business development. In order to meet the above application requirements, the new generation of IAM technology has developed rapidly and is showing the following trends:

1. Decentralized identity

Decentralized identity is a key feature of the expanded response to personal, application service and machine identity. With the surge in the number of new identities, the underlying IAM technology needs to be completely transformed to meet the identity management needs of digital development and privacy protection of organizations. Blockchain-enabled identity and decentralized identity are key features of the transformation and development of the new generation of IAM systems, enabling users to independently create, verify and register any type of identity they need. This paradigm shift can not only reduce users' operating costs, but also reduce some inherent risks of the original centralized identity management model, thereby enhancing the resilience and security of the digital ecosystem.

2. Zero Trust Security Architecture

Zero-trust security represents a conceptual shift in network security protection, embodying the principle of “never trust, always verify”. This approach requires continuous user identity authentication activities to strengthen security control measures. Under the zero-trust security architecture, the IAM system needs to strike a delicate balance between user experience and network security by reviewing access requests based on user characteristics and permission management. An IAM system that adopts a zero-trust security model can help organizations cultivate a proactive security culture to mitigate the risk of unauthorized damage and strengthen their overall security posture.

3. Enhanced User Experience

Improving the user experience of IAM systems is an organizational imperative. To accomplish this goal, IAM strategies must be closely aligned with business and IT goals to ensure that user-centric priorities resonate across organizational functions.

Organizations should also develop a unified and coherent strategy for all external users (consumers, business customers, and partners). For example, ensure that IAM priorities are aligned with business priorities and IT priorities, provide omnichannel experiences, and unify customer profiles. With a unified customer data stream, organizations can orchestrate personalized interactions that seamlessly span various touchpoints, while improving overall operational efficiency and cultivating deeper engagement and loyalty among users.

4. Passwordless Authentication

Passwordless authentication marks a significant shift away from traditional password reliance, providing a more powerful, user-friendly authentication method. To achieve this transformational shift, next-generation IAM solutions need to delve into innovative authentication using biometrics to minimize the security vulnerabilities associated with traditional password-based systems. For example, adopting Fast Identity Online (FIDO) is a key step toward a completely password-free experience that protects against the ubiquitous threat of phishing attacks. By adopting a passwordless authentication approach, IAM can not only help organizations enhance their security posture, but also simplify user interactions, foster a frictionless authentication experience, and enhance overall resilience to changes in cyber threats.

5. Connect Anywhere Computing

Enterprise digital transformation and cloud applications require more support, including support for identities in hybrid IT environments, identities in multiple cloud platforms, and computing device identities. The transition to remote and connected computing emphasizes the need for more sophisticated access control mechanisms. In response to this changing environment, organizations are turning to advanced IAM management platforms that can distinguish between legitimate users and malicious robots, thereby strengthening their network security defenses. By supporting Connect Anywhere Computing capabilities, IAM can provide employees with seamless remote access and protect their digital assets from emerging threats, ensuring strong protection in an increasingly connected environment.

6. Adaptive access control mechanism

Achieving a zero-trust architecture requires adopting industry best practices to minimize security risks and strengthen organizational defenses. This involves enforcing multi-factor authentication (MFA) as a base requirement for privileged access, adding an additional layer of security beyond traditional password authentication methods.

In addition, using adaptive access control mechanisms as part of the zero-trust architecture further enhances security by continuously evaluating and adjusting access permissions based on contextual factors such as user behavior and device status. With adaptive access control policies, organizations can establish a stronger security posture that not only reduces the risk of unauthorized access, but also aligns with evolving cybersecurity standards and protects sensitive data and critical assets from sophisticated cyber threats.

New Generation IAM Application Practice

Because IAM involves the daily work of multiple stakeholders, its application is often considered complex, difficult, and costly. In order to better build and apply IAM and maximize its value, it is recommended that enterprise organizations follow the following best practices:：

1. Thoroughly audit your organization’s assets

When an organization integrates new IAM tools into digital business, the first step should be to conduct a thorough audit of the organization's assets and applications, especially the user identities in the organization, because many of them may have expired. These identity accounts pose a real risk to the entire system, and cleaning them up will bring great benefits to the organization. Once the historical identity inventory is understood, the organization can start to deploy new IAM tools. In the process, security managers must build identity governance management and privileged access management to prevent possible illegal access.

2. “From point to surface” pilot

When building a new generation of IAM, it is recommended to start small – identify four to five of the most widely used applications. Starting with pilot work, the security team can work closely with those application teams to build and launch integrations. Early usage experience will also help provide momentum for other projects internally.

Specifically, organizations can choose a technology, such as multi-factor authentication (MFA) or privilege management, and then take a phased approach by department or region, using the lessons learned from each small deployment to make subsequent deployments more successful. It doesn't matter where you start, what matters is that you stick with it.

3. Choose the right service provider

It’s also important to choose your IAM service provider wisely, comparing the market and what each platform or tool suite offers. Security teams should also strive to answer the following basic questions:

Does it have all the components and features your organization needs?

Can it manage all of the organization's environmental application needs?

Is it possible to provide a unified identity management “interface” to manage all identities?

Does the system integrate effectively with existing business systems in the environment?

If the above factors are not fully considered in advance, a lot of resources of IT and security teams may be consumed during the construction of the IAM system.

4. Win support from company management

For the IAM system to be successfully integrated and applied, it must be supported by the company's board of directors and relevant business departments. A large number of practices have shown that the biggest challenge to the success of IAM projects is cultural resistance and employees' fear of new things. Strategically speaking, the key point of the IAM project is to fully communicate with the board of directors and senior management to ensure that they understand the value of the goals that the project is trying to achieve.

For many security teams, getting the board to understand cyber risk and how it relates to business risk remains a challenge. For this scenario, it is recommended to use some data-driven real-world examples to resonate with management, such as what penalties would regulators impose on the organization if sensitive data was leaked due to an identity attack, or what would happen if the organization's intellectual property was leaked? Would the organization lose competitive advantage or even customers?

In addition to board involvement, buy-in from the business side of the organization is also required. This will ensure that employees do not try to find ways to circumvent IAM and make the system more difficult to operate.

Original link: